Re: [TLS] Quest for Unified Solution to TLS Renegotiation
Marsh Ray <marsh@extendedsubset.com> Thu, 26 November 2009 16:33 UTC
Return-Path: <marsh@extendedsubset.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D1E5A3A6978 for <tls@core3.amsl.com>; Thu, 26 Nov 2009 08:33:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.462
X-Spam-Level:
X-Spam-Status: No, score=-2.462 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id neB7JNmgtqTN for <tls@core3.amsl.com>; Thu, 26 Nov 2009 08:33:21 -0800 (PST)
Received: from mho-01-ewr.mailhop.org (mho-01-ewr.mailhop.org [204.13.248.71]) by core3.amsl.com (Postfix) with ESMTP id 0F8763A6861 for <tls@ietf.org>; Thu, 26 Nov 2009 08:33:21 -0800 (PST)
Received: from xs01.extendedsubset.com ([69.164.193.58]) by mho-01-ewr.mailhop.org with esmtpa (Exim 4.68) (envelope-from <marsh@extendedsubset.com>) id 1NDhHP-000KUa-4a; Thu, 26 Nov 2009 16:33:15 +0000
Received: from [127.0.0.1] (localhost [127.0.0.1]) by xs01.extendedsubset.com (Postfix) with ESMTP id F2391603A; Thu, 26 Nov 2009 16:33:11 +0000 (UTC)
X-Mail-Handler: MailHop Outbound by DynDNS
X-Originating-IP: 69.164.193.58
X-Report-Abuse-To: abuse@dyndns.com (see http://www.dyndns.com/services/mailhop/outbound_abuse.html for abuse reporting information)
X-MHO-User: U2FsdGVkX19mc4gNyiOPvCX3vVS5DLA/Wyl+l3AJF4E=
Message-ID: <4B0EADC6.4070306@extendedsubset.com>
Date: Thu, 26 Nov 2009 10:33:10 -0600
From: Marsh Ray <marsh@extendedsubset.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
References: <4B0D9B94.9080205@pobox.com> <20091125225408.42FB96C3288@kilo.networkresonance.com> <4B0DBB97.5050500@pobox.com> <4B0DFB03.5020201@pobox.com> <4B0E1501.5080002@jacaranda.org>
In-Reply-To: <4B0E1501.5080002@jacaranda.org>
X-Enigmail-Version: 0.96.0
OpenPGP: id=1E36DBF2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] Quest for Unified Solution to TLS Renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Nov 2009 16:33:21 -0000
David-Sarah Hopwood wrote: > Michael D'Errico wrote: >>> Eric Rescorla wrote: >>> >>>>> 3) Incorporate previous verify_data into Finished calc. >>>> I'm not happy with this, actually. >> Would this work: >> >> Finished = verify_data XOR previous_verify_data > > No. The previous_verify_data has to be in the input to the PRF > that also depends on the master_secret. If you just XOR it to > the output, then the attacker doesn't need to know the master_secret > in order to change the unmodified Finished to the modified one. If I understand it correctly, Mitm could decrypt the renegotiated Finished message record, modify it, and re-encrypt it. Effectively this means the authentication and integrity guarantees on protocol could be no stronger than the encryption. That could be a significant weakening of the protocol's security. Another attack would require Mitm to arrange for an arbitrary Finished message on the previous session. In order to do that he would have to a) know ahead of time what value to construct and b) succeed at a first preimage attack on the hash function represented by 12 bytes from the PRF Pulling off (a) would be hard because of the unpredictable random_data bytes in the other side's Hello message. (b) would mean the protocol was so broken that he wouldn't need renegotiation to compromise it. It's worth noting here that this hash output is 96 bits. The NIST hash selection process for the successor to SHA requires a minimum output size of 224 bits. - Marsh
- [TLS] Quest for Unified Solution to TLS Renegotia… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stefan Santesson
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Hovav Shacham
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Marsh Ray
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Michael D'Errico
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Stephen Farrell
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Yoav Nir
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Nelson B Bolyard
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Martin Rex
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Kyle Hamilton
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Eric Rescorla
- Re: [TLS] Quest for Unified Solution to TLS Reneg… Blumenthal, Uri - 0662 - MITLL
- Re: [TLS] Quest for Unified Solution to TLS Reneg… David-Sarah Hopwood